From a10aee732e36f18a8f3e35da9a205a24ba229373 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sat, 12 Mar 2022 15:41:35 +0100 Subject: Security: Add CSRF checks when updating concerts table. --- includes/admin/views/_concerts_table.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/includes/admin/views/_concerts_table.php b/includes/admin/views/_concerts_table.php index a7bf7c5..13d723a 100644 --- a/includes/admin/views/_concerts_table.php +++ b/includes/admin/views/_concerts_table.php @@ -29,9 +29,18 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) private string $username; private array $filter; private int $page_no; + private string $nonce; public static function update() : void { + // + // Check that we get a nonce, and that it is valid to prevent CSRF attacks. + // + if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'concerts-table')) { + wp_die('You are not allowed to do that.', 403); + exit(); + } + if (isset($_POST['assignitem'])) { $concert = GiglogAdmin_Concert::get(intval($_POST['cid'])); @@ -130,8 +139,12 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) wp_mail( $dest, $subject, $body ); } - public function __construct() { + public function __construct() + { $this->username = wp_get_current_user()->user_login; + + // Set the nonce we use to check for CSRF attacks. + $this->nonce = wp_create_nonce('concerts-table'); $this->get_args(); } @@ -387,6 +400,7 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) { return '
' + . '' . '' . \EternalTerror\ViewHelpers\select_field( 'selectstatus', @@ -423,6 +437,7 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) //first check if current slot is taken by current user if ( $assigned_user == $this->username ) { $f = '' + . ' ' . ' ' . ' ' . ' ' @@ -438,6 +453,7 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) } else { //not taken by anyone $f = '' + . ' ' . ' ' . ' ' . ' ' -- cgit v1.2.3